Why you’re using Tor wrong

Tor (The onion router) provides a way to anonymize servers on the internet. If there’s content you want to publish while you remain anonymous, Tor is your main option. Over 100,000 Tor sessions are used daily.

ONION SERVICES

Tor provides end-to-end security and self-certifying domain names. Servers are anonymous to clients, and clients are anonymous to servers.

Onion domain names are based on an RSA key pair, an SHA-1 hash of the public key, truncated, and encoded in a 16 character base32 string. If you know the domain, you know the public key. That’s handy, but the unwieldy domain name is hard to write and remember.

THE RESEARCH

In the paper How Do Tor Users Interact With Onion Services? researchers from Princeton University looked at how people understand and use Tor. In addition to an online survey of 517 users, another 17 users completed semi-structured interviews.

Though 60 percent of the respondents had graduate degrees, many of them misunderstood key aspects of Tor. The domain format, for example, is not well understood, leaving users open to phishing attacks or common typos.

They go on to suggest a variety of design improvements, from an onion search engine, to features as simple as the public internet’s padlock icon to indicate that onion service security is operational.

THE STORAGE BITS TAKE

For all the shortcomings of commercial products – and they are legion – it is sobering to see Tor compared to the 90s web. Few non-commercial products, whose developers are almost always unpaid, have the resources of a commercial firm.